Infrastruktura energetyczna oczami SOC/SIEM Nowej Generacji

Janusz SawickiSecurity Sales Account ExecutiveMicro Focus(M)+48 609 82 12 14 janusz.sawicki@microfocus.com

Source : https://www.youtube.com/watch?v=c3kP-jjgx1E

The fourth industrial revolution

Source: F-Secure - IoT-Threat-Landscape.pdf

IN THE BEGINNING

In 2002, the first malware that could infect IoT devices was discovered

Tsunami AKA Kaiten • Spread manually • Generally targeted Linux machines including IoT devices like routers and machines running BusyBox

Industry 4.0 security incidents

SECURITY INCIDENT DATE

Disruption of multipleDaimlerChrysler’s carmanufacturing plants by aZotob worm

August 16, 2005

Stuxnet worm attack onNatanz nuclearenrichment lab in Iran

2010

Cyberattacks on SmartMeters

2010

Cyberattack on a SCADAsystem of an AmericanWater and Utility company causingdestruction of one of the pumps

November 8, 2011

Shamoon virus - Cyberattack on Saudi Arabian Oil Company(Saudi Aramco)

August 15, 2012

SECURITY INCIDENT DATE

Havex / Dragonfly – aRemote Access Trojan targeted on SCADA, PLC and DCS systems

2014

German steel mill attack 2014

Cyberattack on Kemuri Water Company’s water treatment plant

2015

Cyberattack on a powergrid in Ukraine

December 23, 2015

Mirai – IoT botnets attack October 21, 2016

Industroyer – second cyberattack on Ukrainian power grid

December 17, 2016

WannaCry ransomwareworldwide cyberattack

May 2017

Industry 4.0 security incidents

SECURITY INCIDENT DATE

NotPetya - ransomwarecreated to cause damage

June 2017

Triton malware attack onSafety InstrumentedSystem (SIS)

November 2017

………..

Industry 4.0 security incidents

CyberScape

Source : https://collaborate.mitre.org/attackics/index.php/Technique_Matrix

Visual representation of some state-of-the-art networking technologies for IoT

Source : Internet of Things Security Landscape - Cyber Security Agency of Singapore Ministry of Economic Affairs and Climate Policy of the Netherlands

Why the Current SOC Can’t Keep Up

FragmentedSecurity

Scalability

Data Volume

Advanced Attacks

The War for Talent

What a Next-Gen SOC Needs

FragmentedSecurity

Scalability

Data Volume

Advanced Attacks

The War for Talent

RichAnalytics

LayeredAnalytics

Scalable Architecture

IntelligentAutomation

CompleteEcosystem

How to Connect mass of IoT data with SOC/SIEM

12

SIEM

Hadoop

UEBA

Advanced Analytics

Hunt

Visualization

OT

IOT

Physical

ITSIEM

Hadoop

UBA

Advanced Analytics

Hunt

Visualization

OT

IOT

Physical

IT

Transformation Hub

IncludedApache Kafka

Traditional N : 1 Architecture Open N : M Architecture

Arcsight Transformation Hub

IoT to SIEM - Kafka Connect for MQTT, MQTT Proxy, Build Your Own Custom BridgeMQTT Broker Extension, IoT to SIEM - Kafka Connect for CoAPArcsigh SmartConnectors, Arcsight Flex Connectors

What Connectors do:

Encrypted + Compressed + Split Feeds + Rate Limiting + Batching + Scheduling

Data receptionReceive logs from any data source

NormalizationHuman language readable, apply rules/monitors across different logs sources

CategorizationSame rules/searched apply after new device vendors are introduced

EnrichmentSaves time in repetitive context building manually

Common Format

IT

OT

Custom

IoT

Physical

Source IP

Time Stamp

Bytes Out

Device Class

Request URL

Significance

Behavior

Object

Outcome

Device Group

Geo Location

Host Name

Network Model

Delivery Layer

Cloud

More : https://www.microfocus.com/documentation/arcsight/

Collect

• Connect to all your data

Explore

• Efficient threat hunting and investigation

Analyze

• Detect known and unknown threats in real-time

Store

• Compliance

• Basis for scaled out analytics

Prepare

• Normalize, Enrich

• Initial analysis

Act

• Automaticremediation when threat has been found

Security Open Data Platform

ArcSight Logger

ArcSight Recon

SOAR IntegrationsMicro Focus ArcSight 2020

ArcSight ESM

ArcSight Interset

Most real-world threat scenarios require a mix of both approaches.

Layered Threat Detection

Real-time Correlation Unsupervised Machine Learning

Detect Known Threats

Correlate all data to find threats.

Detect Unknown Threats

No rules or thresholds.

Security Open Data Platform

▪ Collect from anywhere

▪ Use it everywhere

▪ Clean, enriched data enables greater insights

▪ Structured data is more cost-effective

ArcSight Recon

▪ Unifies storage, reporting, investigation and analysis of elusive unknown threats

▪ Cost-effective long term data storage

▪ Non-stop security compliance

▪ Ingest and search through billions of events in seconds

▪ Built-in analytics and guidance

▪ Industry-leading correlation engine with customizable rules

▪ Scalable (up to 100k EPS)

▪ Triage, ticketing and automated response

▪ Many partners and integrations

▪ Flexible architecture and configuration

▪ Includes ArcSight Fusion: the new dashboard UI for ArcSight SecOps

ArcSight ESM

Extensive Coverage of MITRE ATT&CK

▪ Behavior-based anomaly detection to better detect insider threats

▪ See potential threats in context

▪ Cut through the noise to investigate priority threats

▪ Visualize and respond quickly

▪ Scale as you grow with Interset’s native big data architecture

ArcSight Interset

Security Orchestration, Automation and Response

▪ Automated Response

▪ ArcSight APIs

▪ SOAR acquisition

▪ Digital Workflow and SOAR partners

Building Playbooks with ArcSight SOAR

Analyst Tasks

Analyst Task

Playbook

Task Lists

NPC Ukrenergo Powers Security with ArcSight

Enabled cross-team collaboration

230,000+consumers

RESULTS

▪ IndustryEnergy and Utilities

▪ LocationUkraine

▪ ChallengeProtect critical infrastructure from cyberattacks, create visibility into threat data, and encourage cross-team collaboration

▪ Solutions DeployedArcSight ESM and Logger were deployed to lay the foundation for a multi-tier SOC. ArcSight Flex Connectors collect event sources for categorization, aggregation and enrichment.

Improved alerting and incident

response

Monitor security across:

More Visibility, Less Risk with ArcSight

30%Security alarm

reduction

98%Risk mitigation

rate

99%Device

visibility

+ reduced meter fraud

▪ IndustryEnergy and Utilities

▪ LocationDubai, United Arab Emirates

▪ ChallengeConsolidate IT with OT so that data can be shared between systems to improve threat intelligence and device monitoring

▪ SolutionDeployed ArcSight ESM, SODP, and Investigate to build a sophisticated security ecosystem that could interface with their existing Hadoop, Spark, and Elastic solutions

Source : https://www.youtube.com/watch?v=qd9eQX7gL5s&feature=youtu.be

Dubai Electricity and Water Authority

Thank you Q/A